measurement.
Oops. I misunderstood this first time round. I don't think you can easily detect smurf initiations, because you have to guess at the broadcast address. It's not difficult to detect SMURF initiators belongs to your own customers. For us, it's easy because we have IP accounting at the core routers and have some anti-smurf monitoring;
If you saw ICMP-request packets with the DST address looks as broadcast, it's the bell for your noc _let's check where are this packets originated_ - and this trace you to the SMURFer at 90% of the cases. And this 0.0.0.255 255.255.255.0 address/wildcard_bits assumption makes a great approximation for the broadcast addresses.
I think it is much easier to detect and block forged source addresses, which are also necessary for the hacker who is operating out of your network.
--Dean
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Plain Aviation, Inc dean@av8.com LAN/WAN/UNIX/NT/TCPIP/DCE http://www.av8.com We Make IT Fly! (617)242-3091 x246 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)